Category: Security

In today’s post, I would like to share with you some easy tips you can use to improve your business security. Running a small business is not an easy task. On any given day, you can run into dozens of tasks that need to be addressed. Improving your online security doesn’t normally feature very high on your to-do list. IT SHOULD.

Small businesses have become targets for hackers simply because they know that security isn’t a high priority for many of them. Unfortunately, if your business were to be targeted the damage would be so severe that you could find it difficult to recover. Not only would you have data loss but it could also damage your reputation with clients.

Please take a look at the following easy tips to improve security for your business.

Create a cybersecurity policy

Speak with your employees about the importance of keeping personal login information out of sight. (Don’t have your passwords written on sticky notes on your desk)

Don’t share sensitive information via email.

Don’t allow employees to use the company computer for personal business.

Shut your computers off at night.

Hold your employees accountable if these procedures are not followed.

BackupPlan

You should always be careful about where your sensitive data is located. Especially highly important information that belongs to your clients.

You will need to have a strict data backup plan and a data backup service in place.

These need to be off site so that even if your office has damage done to it (fire, flood, theft) you will still have access to full copies.

Check these periodically and restore from your backups to ensure they are up to date.

Use a Host-Based Security Solution

Your office needs to have some form of security software in every one of your internet connected devices.

These should be set up to scan daily for malware, spyware and viruses.

It can be hard for smaller businesses to implement a more complex network security. This is where a host-based security solution comes into place.

All hosts should be set up to update regularly to ensure protection from the latest threats.

Most anti-virus solutions have automated updates built in.

Secure you Wi-Fi network

Wi-Fi is one of the common ways hackers can access sensitive information from your business.

Often Wi-Fi networks have weak encryption methods or they are not protected at all.

Always ensure you are using the highest encryption possible for your Wi-Fi network.

Chose longer, more difficult passwords for authentication to also reduce the possibility of intrusion.

In addition, you can stop broadcasting the network name, known as the SSID (Service Set Identifier).

Protect Your Partners

Frequently small businesses work with bigger organizations or companies and this can likewise furnish hackers with a direct route into the bigger element.

In these instances, it is essential that you protect your key suppliers/partners by securing your own perimeter.

This could include guaranteeing that there is appropriate authorization and authentication set up, securing your framework with a firewall and having anti-virus protection set up on each device.

Train Your Employees

Hackers will often attempt to gather information by utilizing social hacking techniques which include deceiving one of the employees inside a business to surrender delicate information. Training your employees about these possible social assault situations implies that they will know about them and will be less likely to surrender to this sort of hazard.

It’s frequently said that individuals are the weakest connection in the chain. As a proprietor of the small business, the best thing you can do is give your employees informed security training with the goal that they can shield themselves from online assaults as well as ensure the company’s assets.

Encrypt Sensitive Data

Make sure you are safeguarding all sensitive data (client data or data shared by a third party) by encrypting the data where feasible.

You can implement full disk encryption (converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion).

This way even if your network is compromised your sensitive data will not fall into the wrong hands.

To prevent data from being accessed between the browser and the web server, be sure and switch your business website to a secure HTTPS.

Password Policy

Password hijacking has become one of the easiest and most common attacks that businesses today face.

Employees should not be allowed to use weak passwords and should also be required to periodically change their passwords.

This risk can be minimized by simply implementing a frequent password changing policy.

(Like every four months)

You can also require that their passwords include numbers, letters and one special character (@, $, %, <, &, *).

Network Firewall

If your office has an internal network then the first line of defense should be a Firewall before the gateway of the internal network. A Firewall can be software or hardware based.

Even if the firewall is software based it will help mitigate some of the attacks that will be filtered out before getting into the network.

The firewall should be placed to protect the most sensitive services like web servers, mail servers, DNS servers and FTP servers etc…

Use of Anti-Theft

Using anti-theft software in every desktop and laptop can prove useful if any business devices are stolen. The anti-theft software works by wiping out any data on the hard drive thus preventing it getting into the wrong hands.

This type of tool also exists for smartphones if you need to secure these too and can be setup to track and monitor stolen devices.

Finally, a physical hardware lock for less mobile equipment (workstations, servers, printers, switches, etc.) can also act as an effective deterrent.

There isn’t any single way to fully secure your small business. You can, however, implement a few common-sense policies and back them up with appropriate hardware and software that can drastically reduce the risks posed by data loss.

We hope you have found this post useful on how to secure your business. Please visit our website or contact us if you have any questions or would like help securing your own business.

This Morning I received a text message from what I thought was a potential client. It took some time, but later found out that it was a decently executed credit card scam. This post is to show you what transpired, and to hopefully help you to not be deceived by a scam such as the one below.

The text message came early in the morning, 7:30am. It was poorly written but it was a text message so that wasn’t too surprising. The potential client said his name, said he was hearing impaired, asked if Shreveport IT Solutions can design a website for a new company and if we accept credit cards. (nothing strange so far)

“Hi,Am Jones W*****s am hearing impaired.i wanna know if u can handle website design for a new company and if u accept credit cards ?”

I responded with an initial response and suggested that we use e-mail to continue as to have an easier medium to type long form on. (Standard response)

“Hi Mr. Williams, yes we can Design and Develop websites. We also accept credit cards. If you would like to email the details of what you need to contact@shreveportitsolutions.com we can create a bid and timeline for you.”

I started to become a little suspicious when he responded insisting we continue to use text messages, but I continued.

“i can text you the detail here now”

“Ok, great. So what is the business name?”

The next string of messages were what made me seriously believe that this was a legitimate client.

Web Design

have small scale business which i want to turn into large scale business now it located in TN and the company is based on importing and exporting of Agriculture products such as Kola Nut, Gacillia Nut and Cocoa so i need a best of the best layout design for it.

the site would only be informational, so i need you to give me an estimate based on the site i gave you to check out, the estimate should include hosting and i want the same page as the site i gave you to check out and i have a private project consultant, he has the text content and the logos for the site.

Can you handle that for me ?. so i need you to check out this site but i need something more perfect than this if its possible .http://www.*******.com….

Note:

I want the same number of pages with the example site i gave you to check excluding videos and blogs.

I want only English language

I don’t have

a domain yet but i want the domain name as ********.com

4. you will be updating the site for me.

i will be proving the images, logos and content for the site.

i want the site up and running before ending of next month.

My budget is $**** to $****

Kindly get back to me with:

(1) an estimate

The detail of what he said led me to believe that this was going to be a solid deal. The website that he sent that he wanted to emulate was a good site, the budget was on point, and the rest of the information sounded good for a initial starting point. I reviewed and sent him back a bid.

“Going by what the site provided shows, about 15 pages and the blogs $**** + $**** a year for hosting fees + $**** a year for website support.
Total $
$***** for design and development.
$**** a month for hosting and website support (updates and changes) Domain name purchase is separate and price varies by website name. ******.com is auctioning at $***** right now. ***** is going for $****** *******.com is already taken.”

So far the entire conversation was a little strange but still sounded fairly normal. At this point his responses turned to what I considered to be an obvious scam.

Thanks for your response, i am okay with the estimate and i wanna proceed so i will be depositing $**** using credit card so work can commence ASAP, i understand the content for this site would be needed so as for the job to commence so regarding the content i will need a Lil favor from you would be a deposit payment for my website design and the remaining $***** you would help me send it to the project consultant that has the text content and the for surgery so i will be glad if you can help me out with this favor,The favor i need from you is. i would give you my card info’s to charge for $****.so $**** log and the reason i need this favor from you is because the consultant does not have the facility to charge credit cards and i also am presently in the hospital for my website so once he has the $**** he would send the text content and logo needed for my website to you also the funds would be sent to him via cash deposit into his account,sending of funds would be after funds clear into your own account and also $100tip for your stress

I’m not going to claim to know exactly how this would have worked, but I knew a few things were definitely off. My list of a few small strange things, when added to the request to send cash funds to his private consultant added up to scam.

My list of oddities:

1. Text only. — I understand the need to communicate via written form because of physical impairments, but e-mail is a more appropriate medium.

2. The lack of a company name. — In some circumstances a company will withhold company names or locations without a signed NDA (Non-Disclosure Agreement). The issues with this is that he claimed to be the owner so there was no reason to withhold the name, also he never asked for an NDA.

3. The money aspects. — There are a few issues here. 1: He offered up his highest budget amount within 10 minutes of talking with me and didn’t ask for a bid or quote before telling me. 2: Once I sent him the bid, he offered up more than %50 of the money immediately without asking for a contract or how the price should be paid out. 3: the biggest issue. the request to send us extra money to then cash and send to his still unnamed private consultant. 4: Offering a $100 tip on top of the agreed bid.

4. The hospital notations. — the fact that he said that he was in the hospital and unable to get any money to the consultant was a obscure. It also seemed to be a pull on the sympathy strings.

All of those issues led me to call the local police and express my concerns that it was a scam. the police instructed me to stop communication. They did not request any further information. (I’m sure this is not a rare occurrence for them)

Here is how the rest of the conversation played out.

“I am sorry sir, our company can not accommodate that. Any transactions between you and the private consultant would need to be made between your two parties.”

i want you too help me with this because right now am in the Hospital

“I am sorry to hear that, but our company cannot do business that way. I hope you find someone to build your site for you. I hope you get better soon.”

Last year around this time, Google updated Chrome, adding a unique feature to the company’s web browser—Speech Recognition. Six months later, Tal Atar, a SME in this field, discovered what he considered a serious breach of security in the Chrome web browser, and the culprit—speech-recognition.

How Chrome’s speech recognition works

Google created a speech-recognition Application Programming Interface (API) that informs developers building websites how to interact with Google Chrome and the computer’s microphone. The whole purpose is to give visitors to the website the ability to control their experience using voice commands, rather than having to type or click.

What makes the feature interesting is that Google transcribes the voice command into text. After transcription, Chrome sends the text to the website; where the web server deciphers the command, then executes it. Visiting this link will demonstrate the speech-recognition API.

Ater’s contention

When visitors first arrive at a speech-recognition enabled website, they are offered a choice, interface with the website normally, or give the website permission to use the microphone.

There should be an indication similar to the slide seen above, notifying that the microphone is active. Ater’s security concern centers on how the web site can enable the microphone without advertising that it is active. One example was what he called a pop-under window:

“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden pop-under window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.”

This may be a bit difficult to visualize. To clarify the process, Ater created a YouTube video showing how the pop-under window works.

Bottom line, if Ater’s contention is valid, putting Chrome’s speech-recognition API in the hands of an ill-intentioned website developer could turn a remote computer’s Chrome web browser and built-in microphone into a listening device.

How the listening device works

Let’s say a bad guy created a malicious website that uses speech recognition. Upon viewing, the malicious website appears to be an exact duplicate of someone’s favorite website. That user receives an email saying there is a gift waiting for him at his favorite website, just click the link. Unknown to this person, it’s a phishing email, and the link sends that person to the malicious website instead. That person is asked to try the new speech recognition feature. They say yes.

According to Ater, this computer is now a remote listening device. The malicious site will be able to monitor everything within range of the microphone, whether the user knows it or not.

Google or Ater, who is right?

Ater first reported his findings privately to Google in September 2013. Ater said Google engineers had a fix within weeks. Then a week ago, with no evidence of Google removing the bug from Chrome, Ater decided to go public:

“As of today, almost four months after learning about this issue, Google is still waiting for the standards group to agree on the best course of action, and your browser is still vulnerable.”

“[T]he web’s standards organization, the W3C, has already defined the correct behavior which would’ve prevented this… This was done in their specification for the Web Speech API, back in October 2012.”

Options to prevent eavesdropping

I want to reiterate, for speech recognition to work, the visitor must initially give the website permission to use the computer’s microphone. If permission is not given, the exploit falls apart.

There are ways to prevent eavesdropping for those who want to use speech recognition. There are also ways to disable speech recognition completely. For example:

The default setting in Chrome is “Ask if a microphone requires access” (see slide below). One option is to trust that Chrome asking for permission, plus some kind of indication that the microphone is on will be enough security.

Users who visit sites that use speech recognition and want to use it, but do not trust the software indicator have the ability to toggle the microphone on and off as shown below.

Users who are concerned about eavesdropping more than using speech recognition can click on the setting circled in red (as seen below) and leave it.

One problem: all of the above options are software based. There is no hard-wired switch to shut the on-board microphone off. For those concerned about this, there are two additional options:

Visit the Web Speech API demonstration website I mentioned earlier. If the microphone is off, you will get verification similar to the slide below.

For those who want to be absolutely sure, physically disable the on-board microphone, and when a microphone is required, plug an auxiliary microphone into the appropriate socket.

The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.

The iMessage system is Apple’s proprietary text system, which works only among iOS devices. It uses a series of servers owned by Apple that receive and forward messages. Those messages are sent via Apple’s PUSH notification service, which keeps an IP connection open all the time to check for new notifications and display messages. Each iPhone, iPod or other iOS device serves as a PUSH client, and they communicate with Apple’s servers over SSL. The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system.

One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users’ messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could. Users’ AppleID passwords also are sent in clear text to the Apple servers.

“What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order. As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” the pair, who work for Quarkslab, wrote in a long analysis of the iMessage protocol.

“Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.”

Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices. The company uses proper encryption to protect the communications, but the Quarkslab researchers discovered that Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers. During their research, Pod2g and GG were able to create a new certificate authority, add it to an iPhone keychain and then proxy the SSL communications to and from the device. Certificate pinning is the process of associating a given host with a specific certificate. That way, if a browser or other client encounters a certificate for a host that isn’t the expected one, it can reject it and warn the user of the problem. Google, for example, use certificate pinning for many of its Web properties.

“I guess they just didn’t get around to it. There’s no great reason, I think they just didn’t do it. The Twitter app does, which is kind of ironic because Twitter isn’t typically handling your sensitive information,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.

The lack of certificate pinning for iMessage is troubling, the researchers said, as it opens the door for attackers to create a forged CA, and if they can get it onto a device or devices, proxy all of the supposedly encrypted communications. This is especially problematic in enterprise environments that employ Apple’s iPhone Configuration Utility, which enables enterprises to manage iPhones centrally. An attacker could install his CA at enrollment on all of the target devices.

“All communications to Apple’s servers are made through a secure SSL tunnel. We do not need to know what protocol is used or how packets are forged. The first thing we want to try when we see that is adding a certificate to perform a MITM. We were actually very surprised it worked as easily, which means there is no certificate pinning. We created a fake CA, and added it to the iPhone keychain. Then, we could [proxy] communications much more easily. When a SSL communication arrives to the proxy, we generate a certificate signed by the newly added CA, and everything becomes unencrypted,” the researchers said.

The researchers put together several scenarios through which an attacker could intercept iMessage transmissions through a MiTM attack. They also developed a tool called iMiTMProtect that can defeat certain of these attacks on OS X devices. Green of Johns Hopkins said that there are other methods that Apple could have used for the key infrastructure to avoid some of these problems.

“Companies like Silent Circle do real end-to-end key management and OTR (Off the Record) messaging. So all of these instant message things that use OTR-like protocols , they do end to end key establishment. The idea there is that the two parties establish keys without any central directory. And then what you’re supposed to do is either compare a key fingerprint over another phone line or you’re supposed to check – Silent Circle has an authentication string – so you’re supposed to read this string back and forth over the phone. That is the alternative way. That is the de-centralized version of this where you don’t have to trust Apple or some centralized server. And maybe that’s too hard for some people, but a lot of people will use OTR; it’s pretty easy to use. It certainly wouldn’t be so hard to add something like that as an optional feature for security-conscious people into iMessage. Definitely you can do better,” Green said.